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Abstract 

We present an index calculus algorithm with double large prime 
variation which lends itself well to a rigorous analysis. Using this 
algorithm we prove that for fixed genus g > 2, the discrete logarithm 
problem in degree class groups of non-singular curves over finite fields 
Fq can be solved in an expected time of 0(q^^^/^), provided that the 
curve is given by a plane model of bounded degree and the degree 
class group is cyclic. 

The result generalizes a previous result for hyperelliptic curves 
given by an imaginary WeierstraB equation obtained by Gaudry, Thome, 
Theriault and the author. 

MSC2000: Primary: 11Y16; Secondary: 14G50, 11G20 



1 Introduction 

In IS] and ITUj index calculus algorithms with double large prime variation 
for the solution of the discrete logarithm problem (DLP) in degree class 
groups of curves of small genus have been given. In '3 it has been proven 
that for fixed genus g >2 one can solve the DLP in degree class groups of 
hyperelliptic curves over finite fields F^, given by an imaginary Weierstrafi 
equation, in an expected time of 0(g^~^/^), provided that the degree class 
group is cyclic or its structure is known. 

In this work, we generalize this result from hyperelliptic curves given by 
an imaginary WeierstraB equation to arbitrary curves. We thereby keep the 
restriction that the degree class group is cyclic or its structure is known. 
Our result is as follows. 



Theorem Let a natural number g >2 be fixed. Then the discrete logarithm 
problem in cyclic degree class groups of curves of genus g in degree 
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class groups of curves given by plane models of bounded degree can with a 
randomized algorithm be solved in an expected time of 0{q^^'^^^). 

The O-notation captures logarithmic factors. The result also holds if the 
degree class groups is not necessarily cyclic but its structure is known. By 
this we mean that a basis of the degree class group as well as the orders of 
the basis elements are known. If the algorithm is applied with respect two 
elements of Cl^(C) for which the discrete logarithm problem is unsolvable, 
it outputs "unsolvable" in an expected running time of 0{q^~'^^^). 

The algorithm has a storage requirement of 0(g " More con- 

cretely, although the algorithm is randomized, there exists a function in 
~ 1--+ ^ 

0{c[ 9 9^) such that the storage requirements are bounded by this func- 
tion for every run. 

In jH Theorem 56] it is shown that there exists a constant C G N such 
that any curve of genus g over any finite field can be represented by a plane 
model of degree < C ■ g. This shows that the theorem in fact applies to all 
curves of a fixed genus whose degree class group is cyclic, provided that 
the curve is represented appropriately. 

The present work is motivated by the fact that the discrete logarithm 
problem in degree class groups of curves is a well established cryptographic 
primitive. 

We note that the scope of the present work lies purely in the realm of 
theoretical cryptology / theoretical computational mathematics. For prac- 
tical computations in degree class groups of non-hyperelliptic curves of 
small genus, we advice to try to construct a plane model of degree g + 1 oi 
smaller (see ^ Section 6]) and then to follow the algorithm outlined in ^ 
Section 5]. 

The algorithm is given in the next section, and the analysis is given in 
Section 01 

Terminology and data structures 

In the theorem, we implicitly used the following terminology and the follow- 
ing conventions concerning data structures. 

If not stated otherwise, a curve is always irreducible and non-singular. 
A plane model of a curve over a field /c is a possibly singular curve in P| := 
Proj(A;[X, y, Z]) which is birational to the curve. We represent a curve via a 
(fixed) plane model, and we represent the plane model (and thus the curve 
itself) by a defining homogeneous polynomial F{X,Y, Z). 

We represent the points of C by their corresponding points of the plane 
model, with some additional information for the singular points. 

By a divisor on a curve C over a field k we always mean a divisor of C 
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over k (a A;-rational divisor). We think of divisors as being represented as 
a formal sum of closed points of C. (This is called the free representation 
in 0.) If D is a divisor, the corresponding divisor class is denoted by [D]. 
The degree class group of C over ¥g is denoted by C1°(C). 

Let us consider curves over finite fields ¥q. For fixed genus and q ^ 0, 
for any curve C over ¥q, C{¥q) is non-empty. We assume that this is the 
case and fix a point Pq G C{¥q). After having fixed Pq, the elements in 
Cl^{C) can be represented in the following way: An effective divisor D is 
called maximally reduced along Pq if the linear system |Z) — PqI is empty. 
By the Riemann-Roch theorem, maximally reduced divisors have degree 
< g, and D i-^ [D] — deg{D) ■ [Pq] defines a bijection between the set of 
maximally reduced effective divisors and Cl''(C) (see 5, Prop. 8.2.]). We 
think of degree divisor classes as being represented by their corresponding 
maximally reduced effective divisors. 

With this representation of the elements of the degree class group, 
the arithmetic in Cl'^(C) can - for curves represented by plane models of 
bounded degree - be carried out in randomized polynomial time (cf. e.g. 

M, 0, 0, 0). 

Double large prime variation and this work 

As has already been stated, the theorem has already been proven for hyper- 
elliptic curves given by an imaginary Weierstrafi equation in ^3._. Moreover 
it has been pointed out in ^ that heuristically the result also holds for ar- 
bitrary curves of represented by plane models of bounded degree. Because 
of the close relationship between this work and we advice the reader to 
have [Hj at hand when he goes through the details of the algorithm. 

Let us recall some basic ideas about index calculus with double large 
prime variation and the proof of the theorem for hyperelliptic curves given 
by an imaginary Weierstrafi equation in 

Generally speaking, a double large prime variation of an index calculus 
algorithm consists of the following: One not only considers relations which 
split over the factor base but also takes relations with up to two large primes 
into account. These relations are stored as edges in a so-called graph of large 
prime relations. This graph is used to obtain "recombined" relations over 
the factor base. 

There are two double large prime variation algorithms presented in |2j : a 
"full algorithm" and a "simplified algorithm". The theorem in [H] is proven 
with the simplified one. Here one does not construct the whole graph of 
large prime relations but only a tree; we call such a tree a tree of large 
prime relations. At a later stage any relation which splits into elements of 
the factor base or vertices of the tree is used to obtain a relation over the 
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factor base. 

The main challenge resides in controlling the growth of the tree of large 
prime relations as well as its depth, that is, the maximal distance of any 
vertex to the root. For hyperelliptic curves given by an imaginary Weierstrafi 
equation this is relatively easy because one has a concrete description of the 
effective divisors which are maximally reduced along the point at infinity, 
and one therefore knows that the growth process is very regular. 

The algorithm given in this work is a modification of the "simplified 
algorithm" in p|. The analysis relies on the following proposition. 

Proposition 1 For curves of fixed genus g over finite fields ¥q, the number 
of special effective divisors of degree g is in 0{q^^^). 

Recall that an effective divisor D is called special if the linear system \K — D\ 
is non-empty, where K is a canonical divisor. Note that by the Riemann- 
Roch theorem, an effective divisor of degree g is non-special if and only if it 
is the only if the linear system \D\ merely contains D itself. 

We have a canonical injection from the set of non-special divisors of 
degree g into the set of along Pq maximally reduced effective divisors: Let D 
be a non-special effective divisor, and let D' be the unique effective divisor 
of minimal degree with D' + (deg(D) — deg(-D')) ■ Pq = D. Then D' is 
maximally reduced along Pq. 

We assume that Proposition ^ is well known to many experts in curves 
and function fields. For the lack of a suitable reference we give a proof in an 
appendix. Note that a straightforward application of the Hasse-Weil Bound 
merely gives that the number in question is in 0{q'^~^f'^). 

This proposition makes it possible to discard all special divisors in the 
analysis of the construction of the tree of large prime relations. It remains 
the problem to control the growth of the tree. For this, we modify the 
"simplified algorithm" in |3] in such a way that the depth of the tree (not 
only the expected value of the depth) always lies in 0(log(g)). 

2 The algorithm 

Let c/ G N, 5 > 2 be fixed. 

In the following, we consider the discrete logarithm problem in cyclic 
degree class groups of curves of genus g over finite fields Fg, given by plane 
models of bounded degree. We thereby implicitly use the data structures 
described in the introduction. As stated in the introduction, the theorem 
also holds if the degree class group is not necessarily cyclic but its structure 
is known. In this case the algorithm should be modified according to the 
description in Section 7]. 
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The L-polynomial of a curve over ¥g given by a plane model of bounded 
degree can be computed in (deterministic) polynomial time in log{q). (This 
follows from |12| Theorem H] which in turn relies on Pila's extension of 
the point counting algorithm by Schoof (^SJ) to abelian varieties (|IT|).) 
This means in particular that the order of the degree class group can 
be computed in polynomial time in log(g). Moreover, the order can be 
factored in sub exponential time with the algorithm in In the following, 
we therefore assume that the order and its factorization are known. 

The algorithm below terminates in a finite expected time and solves - 
if possible - the discrete logarithm problem for q ^ 0. In order to obtain 
an algorithm which always yields the solution to the DLP (or outputs "un- 
solvable"), one can let the algorithm run "in parallel" with a brute force 
calculation (that is, for every step of the algorithm below, one brute force 
try is performed). 

Let C be a curve of genus g over ¥q such that Cf{C) is cyclic, and let 
a, 6 G Cl^{C). The goal is to determine if 6 S (a) and - if this is the case - 
to compute an x € N such that x ■ a = b. 

Let i := #C1°(C). 

Reduction to the DLP with respect to a generator 

The first step of the algorithm consists of a reduction of the problem to the 
discrete logarithm problem with respect to a generator of the group: 

By Theorem 34], for g S> 0, there exists some P € C(Fg) — {Pq} such 
that c:=[P]- [Pq] generates C1°(C). 

To find such a point P, we iterate over all elements of C{¥q). For each 
P, we test for each prime factor /i of ^ if ^ • c 7^ 0. If this is the case, the 
order of c is £, and we fix the point P. 

If we have found such a P, we proceed as follows: We determine Xa, Xf, G 
Z/£Z with Xa ■ c = a,Xb ■ c = b with the algorithm described below. Then 
we try to determine an x € TLjlTL with x ■ Xa = x^- If no such x exists, we 
output "unsolvable" , otherwise, we output x. 

If no such P exists, we try to solve the DLP with brute force. 

From now on, we assume that a generates Cl^{C). 
The factor base 

We fix any factor base T = {^1,^2, • • •} C C{¥q) - {Pq} of size \q~^^. 
(If C(Fq) — {Pq} contains less elements, the algorithm terminates.) As in jSj 
let C := C(Fg) — (JF U {Pq}) be the set of large primes. 
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Construction of the tree of large prime relations 

Similarly to the "simplified algorithm" in T, we construct a tree of large 
prime relations on £ U {*}. 

For this we repeatedly choose uniformly randomly a, /3 € Z/iZ and 
compute the along Pq maximally reduced effective divisor D with 

[D] - deg{D) ■ [Po] =aa + pb. (1) 

We thereby choose a and (3 independently of each other and independently 
of all previous choices. 

Recall the following usual definition for double large prime variation 
algorithms (cf. j^). 

Definition 2 A relation as is called Full if D splits into divisors of the 
factor base. It is called FP if D is completely split and is the sum of elements 
of the factor base and the non-zero multiple of one large prime. It is called 
PP if D is completely split and is the sum of elements of the factor base 
and non-zero multiples of two large primes. 

FP relations are stored in the tree of large prime relations by inserting a 
labeled edge between * and the large prime in the relation, and PP relations 
are stored by inserting a labeled edge between the two large primes in the 
relations. 

In comparison to the "simplified algorithm" in 0, we modify the con- 
struction of the tree of large prime relations: 

We construct the tree in stages, and during each stage we only attach 
edges to the tree which are connected to vertices constructed in the previous 
stage. In Stage 1, we attach edges coming from FP relations to the 

root *. Thereafter, we terminate Stage s and start Stage s + 1 whenever the 
tree has 2*~^ • edges. 

Let us fix this notation. 

Notation 3 The set of vertices of a tree T is also denoted by T. 

A (semi-)formal description of the construction of the tree is as follows. 

Algorithm: Construction of the tree of large prime relations 

Construct a tree on £ U {*} as follows: 
Let To consist only of the root *. 
Let s < — 1. 
Repeat 
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Construct a tree Ts which contains T^-i as a subtree as follows: 
Repeat 

Choose a,/3 G Z/£Z uniformly and independently 
of each other and of all previous choices at random. 
Compute the along Pq maximally reduced divisor D with 

[D] - deg(D) • [Po] = aa + (3b. 

If D splits as D = rjFj + cpP + cqQ where cp > 0, cq > 0, 
P G J^ur^_i and Q G - (TUTs), 

\f P £ T (i.e. if we have an FP relation), 

insert an edge from * to Q into the tree Ts, 
if P G Ts-i (i.e. if we have a PP relation), 

insert an edge from P to Q into the tree Ts, 
in both cases labeled with {rj)j (in sparse representation). 
Until r, contains 2^-^ ■ Iq^'^/^] edges. 
let s < — s + 1. 

This construction of the tree guarantees that the depth of the tree is 
always in 0(log(g)) (see also inequality © in the next section). The main 
difficulty of the analysis of the algorithm resides in proving that a tree of 
sufficient size can be constructed in an expected time of 0{q'^~'^^^). This is 
verified in the next section. 

The construction of the tree is abandoned if a predefined number of 
edges Nma.x is reached. (To improve the readability we did not include this 
criterion in the description above.) We could for example set A'max := \Q/^^ ■ 
We will however argue in the analysis of the algorithm in the next section 
that A'^tnax := \q^^^/3+'^/9 "| suffices. This smaller value of A'^max only lowers 
the time for the construction of the tree by a constant factor but decreases 
the storage requirements substantially. This is analogous to the situation 
ini- 

After a tree T := Ts with A'^max edges has been constructed, we proceed as 
in Phase 2 of the "simplified algorithm" in |Sj . Let us for simplicity assume 
that i is prime. In the general case (in particular if i is not square free), 
the following description should be modified according to the description in 
Sections 3 and 4 in |^. 

Construction of the matrix 

We construct a sparse matrix with columns and + 1 rows as follows. 

We again generate relations by choosing a and f3 independently uni- 
formly at random. If the divisor D in such a relation splits over J^UT, we 
use the tree to substitute the large primes involved by sums of possibly neg- 
ative multiples of elements of the factor base, and we store the coefficient 
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vector of the "left-hand side" of the resulting relation as a new row of a 
sparse matrix R. 

Linear algebra 

After having constructed R, the DLP can be solved via a linear algebra 
computation as usual in index calculus algorithms for cyclic groups: We 
compute a vector v over TLjiTL with vR = which is uniformly randomly 
distributed over all vectors in the kernel of i?* with an algorithm from sparse 
linear algebra. If then Vi(5i € {'L/l'L)* , the solution to the DLP is 

Hi vA 

as usual. If the condition Yli'^il^i ^ {'L/i'L)* is not satisfied, one could 

compute a new row for the matrix R and then perform the linear algebra 

computation again. Repeating this procedure would however with a very 

1--+ ^ 

small probability lead to a storage requirement which is not in 0(g » 9^). 

Because we want to bound the storage requirements for every run (in- 
stead of merely bounding the expected value of the storage requirements), 
we do not insert a new row into the matrix if the computation fails but in- 
stead restart the whole computation of the matrix R. (The same approach 
has been taken in [21. ) 



3 Analysis 

We now show that the algorithm outlined above computes a solution to the 
DLP in an expected time of 0{q^^'^/^) (as always for fixed genus g > 2 and 
q — > 00). 

As already pointed out, the analysis relies on Proposition ^ Let C > 
be such that for all curves of genus g over any finite fields Fg the number of 
special divisors of degree g is < C • q^~^. 

As in the previous section, let A'^max := [5^^^/^+-'^/^^] be the number 
of edges (that is, the number of vertices different from *) at which the 
construction of the tree is stopped. 

The conditions 

A^max + #-F < q/4. #(C(Fg) - {Po}) G [max{(7^-^g/2},2g] 

#Cf{C)<2q9 q>{^-gl-Cy 

hold for q ^ 0; we assume that they are satisfied. 
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Construction of the generator and of the factor base 

One can iterate over all points of C{¥q) in an expected time of 0{q) as 
follows: 

One iterates over the {X, Z)-coordinates, and for each iteration one fac- 
tors the polynomial describing the y-coordinates of the points with the 
prescribed {X, Z)-coordinates. 

With this procedure one can find a point P G C(Fq) such that [P] — 
[Pq] generates Cl''(C) as well as determine an appropriate factor base in an 
expected time of 0{q). 

Construction of the tree of large prime relations 

We come to the analysis of the growth of the tree of large prime relations. 

Note first that by our assumption that (a) = Cl'^(C), if a and /3 are drawn 
uniformly at random from Z/£Z, aa + f3b is also drawn uniformly at random 
from Cl''(C). This means that the divisor L) in © is drawn uniformly at 
random from the set of all effective divisors which are maximally reduced 
along Pq. 

By our assumptions on q, we always have 

#(C(F,) -{TsUj^U {Po}) > q/2 - q/4 = q/4 . (2) 

Let Div^(C) be the set of effective divisors of degree g on C, and let 
J3jy9,ns^^-j (■j^ggp^ Div^''^(C)) be the subset of non-special (resp. special) effec- 
tive divisors of degree g. 

Let us first assume that we are still in Stage 1, that is, only relations 
with one large prime (not yet in the tree) are considered. 

Let us assume we are given the tree Tq or we have already constructed 
a tree Ti with < \q^^^^^~\ edges. We want to bound the expected number 
of relations needed until a new edge is inserted into the tree. 

Let 

5 := {Pi + • • • + G Div9(C) \yi = l,...,g-l:PieT, 

Pg GC(Fg)-(TiU.FU{Po})}, 

Note that any divisor D G S^^ is maximally reduced along Pq (because 
Pq is not contained in the support of D and the linear system \D\ consists 
merely of D). If a divisor D = Pi + • • • + P^ as in the set S^^ appears in a 
relation a new edge is inserted into the tree. (Other divisors might also 
lead to new edges: We ignore FP relations which involve a larger multiple 
of the large prime, we ignore non-special divisors, and we ignore divisors of 
degree < g.) 
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(3) 



We have 

*S = ■ #(C(F,) - (Ti U ^ U {Po})) > ^ • g/4 by @ 

By our assumption that q > {4: ■ g\ ■ C)^, we have 

# Div^?'^(C) < CqS-' < ^ ■ < ^(^^ • 9'"'+' • (4) 

Inequahties © and ^ imply 

Together with our assumption that ^Cl^{C) < 2q^, this imphes that the 
probabihty that a relation enlarges the tree is 

> #S-' > 1 -d-i) 
- #ClO(C) - 16(5-1)! 

The expected number of relations Q which have to be considered until the 
tree is enlarged is thus 

< 16(5 - 1)! • Q^'^ ■ 

1-- 

This implies that the expected number of tries until the tree has \q 
edges is 

< 16(5 - 1)! • q^'^ ■ [q^'h < 16(5 - 1)! • (q + 1)^"^ ■ 

We now assume that s > 2 and a tree Tg-i with 2*~^ • [q'-'^^^/^] edges 
and a tree Tg with < 2*"-^ • [g"^"^'^^] edges has already been constructed. 
The task is again to derive a bound on the expected number of relations 
needed until the tree is enlarged. 

Similarly to above, let 

S :={p^ + ... + Pge Divf (C)| Vi = 1, . . . ,5 - 2 : Pi G .F, 

E.Fur,_i, PgeC{¥g)-{TsUTU{Po})} , 

:= 5nDivf''^'^(C) . 

We now have 

#^ = ((*^,^r') + ■ #(^-1 - {*})) • -{TsUTU {Po})) 



(9-1)^ -, o 



> ( • q— + • 2^-' ■ q—) ■ q/^ 

) ■ q^-^^-9 . 

(5) 



U(ff-l)! + 4(3-2)! ^ ) q 
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Together with this imphes 



norm y ^ . r>s-2 . „9-l+7; 

*^ -4(5-2)! ' ^ 
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This imphes that the probabihty that a relation enlarges the tree is 

-8(g-2)! ^ 

The expected number of relations which have to be considered until the 
tree is enlarged is thus 

This implies that given any tree T^-i with 2*~^ • edges, the expected 

1— - 

number of tries until a tree with 2*^ ■ \q s] edges is constructed is 

<16(5-2)!-(g + l)'-f . 

We always have have s = 0(log(g)) as can be easily be seen: For every 
run of the algorithm we have for s > 2 

2q > #(T, - {*}) > #{Ts-i - {*}) = ■ [q'--^] , 

i.e. 

s < log2(<7^) + 3 = ■ ,1^ ■ log(g) + 3 = 0(log(g)) . (6) 

2—- 

It follows that in total an expected number of 0{log{q) ■ q ») relations 
(P) have to be considered until the tree has A'^max edges. As each of these 
relations can be obtained in an expected time of 0(log(g)*-^'-^^), we conclude 
that a tree with A'^max edges can be constructed in an expected time of 

9 2 

0{q^--^) . 

Note that the depth of the tree is always bounded by s. In particular, 
as s = 0(log(g)), the depth of the tree is also in 0{\og{q)). 

Construction of the matrix 

We now assume we have constructed a tree T with A^max = \q ] edges. 

Similarly to above let 

5 := {Pi + . • • + e Divf (C)| Vi = 1, . . . , g : Pi G U (T - {*})} , 
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Then S contains > ^ • {#T + #(T - {*})y > ^ • q^'^^s elements. By 

the first two inequahties of (HJ, S^^ contains at least ^ • ^ elements. 

This means that the probability that a relation splits into elements of 
the factor base or vertices of the tree is 

, 3 -(1-1, 

The expected number of relations (Q) which have to be considered until 

2-- 

a matrix of size 0{^J-) is constructed is therefore in 0(g »). As each 
relation can be computed in a time of 0{\og{q)^^^'>) and the depth of the 
tree is in 0(log(g')*^^^^), this means that a matrix of size 0{^J-) can be 
constructed in a time of 



Linear algebra 

The linear algebra takes place on a sparse matrix with 0{q^^^^^) columns 
and [g^"^''^] rows. (If the group order is square-free, a matrix with = 
_)_ X rows suffices, but if the matrix is not square-free, according to 
the description in 21, one constructs a larger matrix.) 

Writing the relations in rows, as the tree has depth 0(log(g)), every row 
contains only 0(log(g)) non-zero entries. 

We apply the algorithm in Section 4 of 12^ to compute a vector v over 
Z/£Z with vR = 0. This algorithm now terminates in an expected time of 

~ O 2 

0{q^~-^) . 

As argued in [HI Section 4.5], the double large prime variation does not 
affect the failure probability of the linear algebra computation, that is, the 
results of [21 Section 4] still hold: After an expected number of 0(log(g)'^^^^) 
restarts of the construction of the matrix i?, the linear algebra computation 
leads to the solution of the DLP. 



Final result 

We have seen that the construction of the tree of large prime relations, 
the construction of the matrix R and the application of the linear algebra 

~ 2-- 

algorithm in |2l Section 4] all have a running time of 0{q s). Moreover, 
we have argued that after an expected number of 0(log(g)*^^^^) restarts of 
the computation of the matrix R, the linear algebra computation leads the 
solution to the DLP. This means that the total running time is in 

~ r, 2 

0{q^-^) , 
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in accordance with the theorem in the introduction. 
Storage requirements 

Clearly there exists a function in » 9^) such that the storage require- 

ments for the tree are bounded by this function for every run of the algo- 
rithm. 

The storage requirements for the matrix are (for every run of the al- 
gorithm) bounded by a function in 0{q 9). Note again that this is the 
case because we restart the construction of the matrix every time the linear 
algebra computation fails instead of inserting a new row. 
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A On the number of special divisors 

The purpose of this appendix is to prove Proposition ^ in the introduction. 
Let C be a curve of genus g over F^. 

Let Div^(C) be the set of effective divisors of degree g on C, and let Dq 
be an divisor of degree g on C. We have the surjective map Div^(C) — > 
Cl^ {C),D I— > [D] — [Dq]. Note that the set of special divisors of degree g is 
exactly the subset of Div^(C) where the map to Cl'^(C) is not injective. 

The number of special divisors is therefore bounded from above by 
2(#Div3(C)-#Cl°(C)), audit suffices to prove that # Div3(C)-# C1°(C) = 
0{qs-^). 

We follow the exposition to the zeta- function in 

Let L = Y[i=ii^ ~ Q^i^) G C(t) be the L-polynomial of C, let An be the 
number of divisors of degree n, let Bn be the number of prime divisors of 
degree n on C, and let 



As the ai can be arranged such that Ojag+j = q for all i = 1, . . . , g', we have 




i=l 



#C1' 



(C) = L(l) =q^-S- qS-^ + 0{q3-^) . 
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We thus have to show that 

Ag = q9 - S ■ q3-^ + 0{q^-^) . (7) 

The fact that any divisor of degree g can be expressed as a (up to permuta- 
tions) unique sum of prime divisors imphes 



^ 



where the sum runs over all e € Nq with = g and the products run 

over r E {1, . . . g}. We have 

Bi=q + 1-S , 
and by Proposition V.2.9], we have in particular 

B, = -.q- + 0{q'-^) 
r 

for r > 2. 

This implies that 

i.e. 

= EdI 7T • i) • - ^1 • ^ • ^'"') + Oil'-') ■ 

e r 

In order to derive ((T)) it remains to be shown that 

e r 

and 



Equation (jH)) is equivalent to 



This is true because for any e G Nq with e^r = g, the set of permutations 
in Sg having exactly Cr r-cycles has Ylr fi, ' ^ elements. 
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We come to Equation Q- Note that we have a bijection 

{e G No^l Er ^rT = ff, ei / 0} ^ {e' G n^'^ Zr <r = g - 1} , 

e I— > e' 

with e'l = ei — 1 and = for ah i = 1, . . . , g — 1. 
Equation @ is then equivalent to 

En^-;^ = b-iV, (11) 

e' r ^ 

where the sum runs over all e' G Nq with e[.r = g — 1 and the products 
run over r {1, . . . , g — 1}. This is true by the same argument as the one 
for Equation (fTU)) (with Sg substituted by Sg-i). 
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